portal-api (REST + GraphQL)
Portal owns tenant identity, memberships, invitations, onboarding, RBAC, billing entry points, and platform authorization decisions.
Runtime
| Property | Current contract |
|---|---|
| Production API origin | https://api.portal.inblack.app |
| GraphQL | POST /graphql |
| External-agent bootstrap | POST /api/external-agent/signup |
| GraphQL operations | 39: 15 queries and 24 mutations |
| HTTP registrations | 44 total; the public reference omits internal and unresolved routes |
portal.inblack.app is not the canonical API origin. Use the API hostname or the environment-specific origin returned by platform bootstrap/configuration.
GraphQL domains
The generated schema reference covers tenant and practice organizations, team membership, invitations, onboarding, rule packages, roles, and entitlements. Most fields carry @authenticated; additional restrictions are visible in the directive column.
Example:
curl https://api.portal.inblack.app/graphql \ -H "Authorization: Bearer <token>" \ -H "Content-Type: application/json" \ -d '{"query":"{ myOrganizations { id name status defaultCurrency } }"}'See the GraphQL operation reference for exact arguments, output types, directives, and source locations.
HTTP routes
Portal registers authenticated product routes for billing and model-negotiation policy, the external-agent signup route, operational routes, a development playground, and the Stripe provider callback. Admin/model-negotiation and internal authorization routes remain excluded from the public reference.
Do not infer integration CRUD routes from UI labels. Use the HTTP route reference for paths actually registered in source.
Authentication
Authenticated GraphQL and product routes use the current Portal auth and membership path. Send an accepted bearer credential and explicit X-Tenant-ID when the route requires tenant context. External-agent signup has its own owner-principal and scope/audience checks.
The Stripe webhook is a provider callback, not a customer-callable REST API.
Agent boundary
Product UIs and backend integrations may call Portal APIs directly. Agents default to MCP where a Portal tool exists; the API schema is not a promise that every operation is exposed as an agent tool.